1 Reply Latest reply on Nov 21, 2011 5:21 PM by John Baker

    KeyStoreKeyManager

    John Baker Newbie

      The PicketLink KeyStoreKeyManager class contains this code:

       

         public void setAuthProperties(List<AuthPropertyType> authList) throws TrustKeyConfigurationException,

               TrustKeyProcessingException

         {

            for (AuthPropertyType auth : authList)

            {

               this.authPropsMap.put(auth.getKey(), auth.getValue());

            }

       

            this.keyStoreURL = this.authPropsMap.get(KEYSTORE_URL);

            this.keyStorePass = this.authPropsMap.get(KEYSTORE_PASS);

       

            this.signingAlias = this.authPropsMap.get(SIGNING_KEY_ALIAS);

       

            String keypass = this.authPropsMap.get(SIGNING_KEY_PASS);

            if (keypass == null || keypass.length() == 0)

               throw new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_NULL_SIGNING_KEYPASS);

            this.signingKeyPass = keypass.toCharArray();

         }

       

      I'm not sure the lines in bold are correct. It is enforcing a password on an alias within the keystore, but the alias password can be the password of the keystore, and I note:

       

               publicKey = null;
               try
               {
                  publicKey = KeyStoreUtil.getPublicKey(ks, domainAlias, this.keyStorePass.toCharArray());
               }
               catch (UnrecoverableKeyException urke)
               {
                  //Try with the signing key pass
                  publicKey = KeyStoreUtil.getPublicKey(ks, domainAlias, this.signingKeyPass);
               }

       

      Which suggests that the signingKeyPass is optional. Perhaps that exception can be removed for clarity?

        • 1. Re: KeyStoreKeyManager
          John Baker Newbie

          Ignore this post. Further testing reveals the keystore password must be passed if a signing alias password not set in this code:

           

                   return (PrivateKey) ks.getKey(this.signingAlias, this.signingKeyPass);

           

          Maybe if the signing key password is not passed in the configuration, the keystore password should be taken instead?